Australia has accused a China-backed hacker group of breaching government networks in 2022, highlighting ongoing cybersecurity concerns.

The Australian Cyber Security Centre, in collaboration with international counterparts, released a joint report naming the group as APT40 and detailing their purported involvement in malicious cyber operations. The agency said APT40 stole hundreds of passwords and usernames from two unnamed Australian networks two years ago.

Australia Accuses China-Backed Hackers of Infiltrating Government Networks

According to the report, APT40 is believed to operate under the auspices of China's Ministry of State Security, responsible for foreign intelligence activities. 

The report alleged that the activities attributed to APT40 align with those observed in other state-sponsored cyber operations globally, posing potential threats to cybersecurity infrastructures beyond Australia's borders.

The advisory indicated that APT40 had targeted various countries, including Australia and the United States, employing tactics that overlap with those of other known cyber threat groups, such as Advanced Persistent Threat (APT) 40, Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. 

These groups are reportedly based in Haikou, Hainan Province, China, and are purportedly directed by the PRC Ministry of State Security, Hainan State Security Department.

Read Also: Elon Musk Calls Out Australia for Censorship After Court Orders X to Remove Violent Video; Australian PM Calls Him an 'Arrogant Billionaire'

Cyber Operations of APT40

APT40's cyber operations allegedly exploit vulnerabilities in targeted networks, focusing on identifying and exploiting weaknesses in public-facing infrastructure.

Their strategies reportedly include rapidly adapting exploit proofs-of-concept for newly discovered vulnerabilities in widely used software systems, enhancing their capability to infiltrate and maintain persistence within compromised networks.

The Australian Cyber Security Centre advisory includes detailed case studies illustrating APT40's techniques and the impact on victim networks. These case studies are intended to assist cybersecurity practitioners in identifying, preventing, and mitigating intrusions by APT40 and similar threat actors.

The advisory suggests that APT40 prefers to exploit vulnerable, publicly accessible infrastructure rather than relying on user interaction methods like phishing campaigns. The group significantly emphasizes acquiring valid credentials to facilitate various subsequent activities. 

Furthermore, the Australian government noted that APT40 frequently employs web shells to maintain persistence in compromised systems, particularly in the initial stages of intrusion.

This early persistence strategy increases the likelihood of detection across all intrusions, regardless of the scope or additional actions undertaken. The advisory was collaboratively authored with contributions from the United States, the UK, Germany, Japan, South Korea, and other international partners.

"The following Advisory provides a sample of significant case studies of this adversary's techniques in action against two victim networks," the report said. "APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing." 

Related Article: Australia's Internet Watchdog to Draft Industry Standards for Tech Giants to Combat Online Child Abuse, Pro-Terror Material